我试图有条件地将访问策略添加到Key Vault,问题是模板中名称为KeyVault / accessPolicies / add的资源不能超过1个
这实际上是我想要实现的目标:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaultName": {
"type": "string"
}
},
"resources": [
{
"condition": "[parameters('someCondition')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2016-10-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[if(parameters('someCondition'), reference(variables('someAppServiceResourceId'), '2015-08-31-PREVIEW').tenantId, json('null'))]",
"objectId": "[if(parameters('someCondition'), reference(variables('someAppServiceResourceId'), '2015-08-31-PREVIEW').principalId, json('null'))]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
},
{
"condition": "[parameters('otherCondition')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"name": "[concat(parameters('vaultName'), '/add')]",
"apiVersion": "2016-10-01",
"properties": {
"accessPolicies": [
{
"tenantId": "[if(parameters('otherCondition'), reference(variables('someOTHERAppServiceResourceId'), '2015-08-31-PREVIEW').tenantId, json('null'))]",
"objectId": "[if(parameters('otherCondition'), reference(variables('someOTHERAppServiceResourceId'), '2015-08-31-PREVIEW').principalId, json('null'))]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
]
}
}
],
"outputs": {
}
}
但是在此部署中,我只能使用一个名称为'KeyVaultName / add'的资源。
我当时想我可以有条件地在变量中构建访问策略数组并进行一些数组连接,但是由于我在访问策略中使用了reference()函数来获取租户和主体ID,因此它不起作用
答案 0 :(得分:0)
您为什么认为这行不通?
"properties": {
"copy": [
{
"name": "accessPolicies",
"count": "[xxx]",
"input": {
"tenantId": "[if(parameters('otherCondition'), reference(variables('someOTHERAppServiceResourceId'), '2015-08-31-PREVIEW').tenantId, json('null'))]",
"objectId": "[if(parameters('otherCondition'), reference(variables('someOTHERAppServiceResourceId'), '2015-08-31-PREVIEW').principalId, json('null'))]",
"permissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
}
}
]
}
答案 1 :(得分:0)
"accessPolicies" 接受一个数组,它允许您通过单个资源指定多个策略。您可以使用与您已经在做的类似的 if 表达式有条件地应用同一数组中的策略。我发现 json('null') 会导致我出现部署错误。相反,当不满足条件时,我使用空 GUID '00000000-0000-0000-0000-000000000000',并分配一组空权限,从而有效地使其成为无操作。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"keyVaultNoPermissions": { },
"keyVaultAllPermissions": {
"keys": ["all"],
"secrets": ["all"],
"certificates": ["all"],
"storage": ["all"]
}
},
"resources": [
// ...
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2016-10-01",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[parameters('keyVaultName')]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[if(parameters('someCondition'), reference(variables('someAppServiceResourceId'), '2015-08-31-PREVIEW').principalId, '00000000-0000-0000-0000-000000000000')]",
"permissions": "[if(parameters('someCondition'), variables('keyVaultAllPermissions'), variables('keyVaultNoPermissions'))]"
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "[if(parameters('otherCondition'), reference(variables('someOTHERAppServiceResourceId'), '2015-08-31-PREVIEW').principalId, '00000000-0000-0000-0000-000000000000')]",
"permissions": "[if(parameters('otherCondition'), variables('keyVaultAllPermissions'), variables('keyVaultNoPermissions'))]"
}
]
}
}
]
}